401 when curl -kv https://localhost:9200 -u admin:${OPENSEARCH_INITIAL_ADMIN_PASSWORD} on new localhost instance

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

  • latest installed via docker-compose

Describe the issue:
I installed latest version of opensearch and dashboard using docker compose on 19/sept 2024.
New localhost test instance.
I cannot curl to the API, get a 401.

 % echo $OPENSEARCH_INITIAL_ADMIN_PASSWORD                           
myStrongPassword123@456
% curl -kv https://localhost:9200 -u admin:${OPENSEARCH_INITIAL_ADMIN_PASSWORD}
* Host localhost:9200 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:9200...
* Connected to localhost (::1) port 9200
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Request CERT (13):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Certificate (11):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384 / [blank] / UNDEF
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: CN=localhost
*  start date: Sep 18 23:58:42 2024 GMT
*  expire date: Sep 18 23:58:42 2025 GMT
*  issuer: CN=localhost
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
* using HTTP/1.x
* Server auth using Basic with user 'admin'
> GET / HTTP/1.1
> Host: localhost:9200
> Authorization: Basic YWRtaW46bXlTdHJvbmdQYXNzd29yZDEyM0A0NTY=
> User-Agent: curl/8.7.1
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 401 Unauthorized
* Authentication problem. Ignoring this.
< WWW-Authenticate: Basic realm="OpenSearch Security"
< content-type: text/plain; charset=UTF-8
< content-length: 12
< 
* Connection #0 to host localhost left intact
Unauthorized%  

Configuration:
Here’s my docker-compose.yml file:

version: ‘3’
services:
opensearch-node1:
image: opensearchproject/opensearch:2.8.0
container_name: opensearch-node1
environment:
# - discovery.type=single-node
- cluster.name=opensearch-cluster
- node.name=opensearch-node1
- discovery.seed_hosts=opensearch-node1
- cluster.initial_cluster_manager_nodes=opensearch-node1
- bootstrap.memory_lock=true
- “OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m”
- “OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_INITIAL_ADMIN_PASSWORD}”
- plugins.security.ssl.http.enabled=true
- plugins.security.ssl.http.pemcert_filepath=certs/opensearch-cert.pem
- plugins.security.ssl.http.pemkey_filepath=certs/opensearch-key.pem
- plugins.security.ssl.http.pemtrustedcas_filepath=certs/opensearch-cert.pem
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536 # maximum number of open files for the OpenSearch user, set to at least 65536 on modern systems
hard: 65536
volumes:
- opensearch-data:/usr/share/opensearch/data
- ./certs:/usr/share/opensearch/config/certs # Mount your certificate
ports:
- 9200:9200
- 9600:9600 # required for Performance Analyzer
networks:
- opensearch-net

opensearch-dashboards:
image: opensearchproject/opensearch-dashboards:2.8.0
container_name: opensearch-dashboards
ports:
- 5601:5601
expose:
- “5601”
environment:
OPENSEARCH_HOSTS: ‘[“https://opensearch-node1:9200”]’
networks:
- opensearch-net

redis:
image: redis:latest
container_name: redis
environment:
- REDIS_REPLICATION_MODE=none
volumes:
- redis-data:/data
ports:
- 6379:6379
networks:
- opensearch-net

volumes:
opensearch-data:
redis-data:

networks:
opensearch-net:


**Relevant Logs or Screenshots**: 

I also tried with the following docker-compose it makes no difference. 

version: ‘3’
services:
opensearch-node1:
image: opensearchproject/opensearch:2.8.0
container_name: opensearch-node1
environment:
# - discovery.type=single-node
- cluster.name=opensearch-cluster
- node.name=opensearch-node1
- discovery.seed_hosts=opensearch-node1
- cluster.initial_cluster_manager_nodes=opensearch-node1
- bootstrap.memory_lock=true
- “OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m”
- “OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_INITIAL_ADMIN_PASSWORD}”
# - plugins.security.ssl.http.enabled=true
# - plugins.security.ssl.http.pemcert_filepath=certs/opensearch-cert.pem
# - plugins.security.ssl.http.pemkey_filepath=certs/opensearch-key.pem
# - plugins.security.ssl.http.pemtrustedcas_filepath=certs/opensearch-cert.pem
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536 # maximum number of open files for the OpenSearch user, set to at least 65536 on modern systems
hard: 65536
volumes:
- opensearch-data:/usr/share/opensearch/data
# - ./certs:/usr/share/opensearch/config/certs # Mount your certificate
ports:
- 9200:9200
- 9600:9600 # required for Performance Analyzer
networks:
- opensearch-net

opensearch-dashboards:
image: opensearchproject/opensearch-dashboards:2.8.0
container_name: opensearch-dashboards
ports:
- 5601:5601
expose:
- “5601”
environment:
OPENSEARCH_HOSTS: ‘[“https://opensearch-node1:9200”]’
networks:
- opensearch-net

redis:
image: redis:latest
container_name: redis
environment:
- REDIS_REPLICATION_MODE=none
volumes:
- redis-data:/data
ports:
- 6379:6379
networks:
- opensearch-net

volumes:
opensearch-data:
redis-data:

networks:
opensearch-net:

Hi @Isabelle1 ,

Could you please check if there is OPENSEARCH_INITIAL_ADMIN_PASSWORD env parameter inside the docker container? To do that, please execute the following commands:

docker exec -it <docker-container-name> sh
env | grep OPENSEARCH_INITIAL_ADMIN_PASSWORD